Vulnerability Note VU#583776

Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack

Overview

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. This is known as the "DROWN" attack in the media.

Description

According to the researcher, "DROWN" is a new form of cross-protocol Bleichenbacher padding oracle attack. An attacker using "DROWN" may obtain the session key from a vulnerable server supporting SSLv2 and use it to decrypt any traffic encrypted using the shared certificate.

It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key."

The SSLv2 protocol is the only protocol directly impacted; however, the researcher's website states that many servers may use a shared certificate between the SSLv2 and the newer TLS protocols. If so, if the certificate is decrypted via SSLv2, then the TLS protocol using the shared certificate can be decrypted as well. The attack requires approximately 1000 SSL handshakes to be intercepted for the attack to be effective.

The researchers have also released a DROWN attack check tool and an FAQ that provides more complete information.

Impact

A remote attacker may be able to decrypt individual messages/sessions of a server supporting SSLv2. Servers using TLS protocol with the same shared certificate as is used for SSLv2 may also be vulnerable. According to the DROWN FAQ, the server private key is not obtained from this attack.

Solution

Disable SSLv2

Network administrators should disable SSLv2 support. The researchers have provided more information on how to disable SSLv2 for various server products.

This issue can be mitigated on TLS connections by using unique SSL keys and certificates. If possible, do not reuse key material or certificates between SSLv2 and TLS support on multiple servers.

Monitor network and use firewall rules

We recommend enabling firewall rules to block SSLv2 traffic. Since the attack requires approximately 1000 SSL handshakes, network administrators may also monitor logs to look for repeated connection attempts. However, this data may also be obtained via man-in-the-middle or other attacks, not solely from direct connections.